Facebook – what’s going on and should I be worried?

Posted on: 12 April 2018
By:
No Comments »
Filed under: Uncategorized

This month our Information and IT Security officer, Graeme Wolfe, looks at the recent news about Facebook and how your personal information is worth money to companies, as well as criminals.

“Data is the new oil” and “If you’re not paying for a service, then you are the product”

These are a couple of quotes you may have heard recently in the news, after the revelations that Facebook allowed a number of companies, via various apps and games, to access the data of over 87 million people, which may then have been used to target and manipulate those people to behave in a particular way.

To those of us in the cyber security or digital media industries this is not news, as we have known for years that the way many large internet companies make their money is through advertising and data processing. I mentioned as much in my blog posts in Feb 2016 and Feb 2017

The trouble is this is not the first, or second, or third time, that Facebook has been investigated by regulators across the world. Facebook has been apologising for misusing its users’ data for over 10 years now.

There are numerous stories in the media about the attitude Facebook had towards data security and privacy, with Mr Zuckerberg even admitting before the US Congress that they didn’t do as good a job on these fronts as they should have done.

So the next time you are bored and decide to complete an on line ‘quiz’ about your family background, or your early life with pets, or cars, or friends, or colours, (funny how they are so often about the same subjects as the security questions used to verify your identity!!!) just consider the fact that someone, somewhere, could be gathering this information about you and storing it for use now, or at any point in the future.

Graeme Wolfe

Information and IT Security Officer

12/04/2018

 

2 Factor Authentication – what it is and why you should use it.

Posted on: 22 February 2018
By:
No Comments »
Filed under: Uncategorized

This month our Information and IT Security officer, Graeme Wolfe, looks at 2 Factor Authentication (2FA) and wonders why so few people enable and use this valuable security feature.

2 Factor Authentication, or 2FA, is an additional security measure that requires you to use two steps to log into online accounts. 2FA operates by extending the log in process, requiring not just a basic username and password to access or log into a site. It can take the form of a code texted to your phone, a token with a changing number, a hardware token, a card reader often supplied by banks, or even a pre-printed one time code.

Two factor authentication helps to guard against online security issues when hackers steal usernames and passwords. Two factor authentication demands each user supply something they know – the password, as well as something they have – a code supplied direct to a personal phone or card reading device, meaning that if your log in / password information has been compromised, your account is still safe.

Two factor authentication has been added to most banking, email accounts and many other online outlets, but at the recent Enigma 2018 security conference in the USA, a google engineer revealed that less than 1 in 10 Gmail users have enabled 2FA to secure their accounts.

Google has spent a lot of time and money promoting its 2FA offering, or 2 Step Verification as they prefer to call it, but it appears few people use this security measure.

When they were asked why they didn’t just make it mandatory, their response was very similar to many other organisations; they find that their customers are resistant to these enhanced security measures. In fact some organisations have reduced their security measures to speed up the user experience, but this does mean a compromise on security.

So if you have any account that offers you 2FA, I suggest that you enable it, as in the long run it will help you prevent your accounts being compromised.

Graeme Wolfe

Information and IT Security Officer

19/02/2018

 

Meltdown and Spectre – What you need to know

Posted on: 18 January 2018
By:
No Comments »
Filed under: Uncategorized

This month our Information and IT Security Officer, Graeme Wolfe, looks at two new security vulnerabilities that have made the headlines over the New Year.

You may have seen or heard the names Meltdown and Spectre in the news and thought they were just titles of the latest action adventure films. In reality they are serious security flaws in the way that computer chips, Central Processing Units (CPUs), and Graphics Processing Units (GPUs) handle sensitive data like usernames and passwords, and encryption keys for secure web connections.

The problems lie with the design of the chip’s hardware and the way it handles data. Affected chips from Intel and AMD are in desktops, laptops and some tablets and affected chips from ARM are in most smartphones and tablets.

Meltdown and Spectre are both processor-level vulnerabilities that make it potentially possible for code running in user-mode – which might include malware or even malicious JavaScript served through rogue adverts on web sites or the like – to read from portions of protected kernel memory, an area hosting passwords, login cookies and other secrets, or other portions of memory it should be blocked from accessing.

The vulnerabilities have been rated as ‘Critical’ and affect just about every computer or device with a chip in them that was made since 1995! This includes ALL brands and makes of devices. So whether you have a Dell, HP or an Apple Mac, an iPhone or Android, even those of you out there running Linux, you are all likely to be affected by this. It has even affected all the major ‘cloud service providers’ such as Google, Amazon and Microsoft.

All the major companies in this field have been working on solutions to fix the problem since the middle of last year. There are a number of security patches that have been released to fix the issue with Meltdown, which mainly affects Intel CPU’s. The Spectre issue is looking harder to fix though.

You may also have heard that the patches are claimed to slow down machines by up to 30 per cent and if you do a lot of processor intensive ‘data crunching’, or play a lot of immersive games, then you may see a slowdown in performance. For most of us who just send messages, email and surf the web, we are unlikely to notice much of a change. I have updated my phone and all my other devices already and haven’t noticed any dramatic change in performance.

There are currently no specific tools that can exploit either of these flaws, but now the research is out in the open, it will only be a matter of time before ‘off the shelf’ exploits are made available to the hacking and criminal community.

The solution, as always, is patch! patch! patch! Additionally you should ensure your browser is running the latest version as well. As an example Google, Amazon, Microsoft and Apple all patched their cloud offerings to correct the Meltdown vulnerability as soon as they were available. They know how important this is. So you should check and see if there are updates available for your device(s) as well.

Do not put off installing any patches from your product supplier and make sure that you shut down / switch off your device when you have finished using it. Most patches will not be applied until the device is restarted. Just closing the lid on your laptop is not enough.

Graeme Wolfe

Information and IT Security Officer

18/01/2018

Bitcoin…Bubble or a sign of the future?

Posted on: 11 December 2017
By:
No Comments »
Filed under: Uncategorized

This month our Information and IT Security officer, Graeme Wolfe, looks at the recent rise in Bitcoin values and the security surrounding them.

You may have heard in the news this month about the rise in value of Bitcoin to over $17,000 for 1Bitcoin. Considering that bitcoins have been around for less than 10 years and for much of that time its value was in the 10’s or 100’s of dollars, you may be wondering what has happened recently. You are not alone.

Bitcoin is a cryptocurrency, not created or regulated by any central bank, but they are ‘mined’ by solving complex mathematical equations on computers.

Bitcoins are monitored by something called a ‘blockchain‘, which is a publicly accessible listing of all Bitcoin transactions and involves the use of Private Cryptographic Keys to keep it secure.

So far, so secure.

However, there are a number of ‘traders’ who are set up to enable the buying and selling of bitcoins and this is where the security of the system breaks down.

People who wish to trade in bitcoins often upload their Private Keys to these traders and then can buy and sell with ease.

This has attracted the attention of thieves and criminals who see the stealing of bitcoins as an easy way to make money. Certainly easier than trying to rob a bank!

In 2014 $460m was stolen from the Mt Gox trading site; in 2016 Bitfinex suffered a similar loss and only this month NiceHash suffered a similar breach.

Many of these traders were set up with poor security measures in place and through a combination of technology and social engineering, they have been hacked and the money stolen.

Whether you are trading Bitcoins, or just using online banking and shopping services, it is vital that you keep your security details safe, whether they be usernames and passwords, Cryptographic Keys, or simple ‘autofill’ options on web sites, keep them to yourself and be wary of where you enter them online, as they are all targets for online criminals to plunder.

Graeme Wolfe

Information and IT Security Officer

11/12/2017

Data breaches affecting Universities

Posted on: 17 November 2017
By:
No Comments »
Filed under: Uncategorized

This month our Information and IT Security officer, Graeme Wolfe, looks at more reported data security breaches affecting Universities and ways to avoid being in the media for all the wrong reasons.

You may have seen the news item in early November, about another University suffering a data breach, this time it was the University of East Anglia. If you didn’t, view the media stories on the  BBC  and the The Register web pages.

It would appear that UEA suffered a similar breach a few months back, where sensitive personal information was sent to the wrong people.

Lessons need to be learnt from this breach, which is why if you are thinking of sending sensitive information out by email, you should ask yourself a couple of basic questions.

  1. Should I be sending this by email?
  2. Who exactly am I sending this to and why?

Double check before you hit ‘send’ that you are sending the email to the right person and not a mailing list or someone with the same first name as your intended recipient. Mistakes are easy to make and almost impossible to rectify.

There are other methods of sharing data with people that can be more secure than email. For further guidance, we can advise on how to gain access to and use, an encrypted email service for your University account.

The Security and compliance team are here to help and advise anyone who deals with sensitive information at the University and how you can store and transmit such information securely. Also to ensure our University does not suffer a breach and receive media headlines similar to those currently in the press.

Graeme Wolfe

Information and IT Security Officer

17/11/2017

Are your ears burning?

Posted on: 19 October 2017
By:
No Comments »
Filed under: Uncategorized

This month our Information and IT Security Officer, Graeme Wolfe, looks at how you can find out when your name is used, or appears online.

Noel Coward once said that the only thing worse than being talked about, was not being talked about. But in our modern, online world, knowing who is saying what and when could be very important.

Last month we showed how to find if your email has been hacked, this month we look at finding references to personal data on line.

With over 644 million web pages, plus many other postings on social media channels, blogs, vlogs and podcasts searching through them all for mentions of your own name would be a mammoth task.

Fortunately Google can make this easy for you. Google Alerts are automatically generated notifications that will send an email to your inbox to alert you every time your chosen search term is found online.

Alerts are easy to set up and can be set to send you updates daily, weekly, monthly or as they occur. Just go to https://www.google.co.uk/alerts or search for ‘google alerts’ then enter the details you want to get alerts on – John Smith for example – into the search boxes. If your name is a very common one you could get many alerts which are nothing to do with you personally – if you’re not sure if you have a popular name, this tool will help you find out.

If you use the Chrome browser, have a Gmail account and are logged in to them, alerts will pre-populate the ‘me on the web’ section for you. Having the accounts is not essential to set up alerts, but it does make things easier, just follow the simple online instructions.

Once you have set everything up, then whenever there is a new mention of your name on the web you will get an email alert.

I have set Google alerts up for family and friends and they have proved useful in identifying content about them that was inappropriate or inaccurate, which they have then had taken down or corrected, content which you may never have been aware was there in the first place.

Remember – Knowledge is power.

Graeme Wolfe

Information and IT Security Officer

16/10/2017

Have you been ‘pwned’?

Posted on: 20 September 2017
By:
No Comments »
Filed under: Uncategorized

This month our Information and IT Security officer, Graeme Wolfe, looks at recent security breaches, lists of potentially hacked accounts and what it means to be ‘pwned’?

You may not have heard, recently, that a collection of over 700 Million email addresses was found online, posted on a web server with an obscure URL, supposedly to prevent accidental detection.

You may, however, have heard of some of the recent high profile data breaches at Equifax, Ashley Madison, Adobe, LinkedIn, DropBox, Yahoo, Talk Talk, AA, Target, TK Maxx…I could go on and on – which is where many of the email addresses and other sensitive data were originally harvested from.

When the University’s security team ‘CSIRT’ (Computer Security Incident Response Team) found out about this, we decided to investigate and see if there were any instances of @Westminster or @my.Westminster email addresses in this list. Unfortunately we found many thousands of our email addresses listed, so we decided to act on your behalf.

Many of you will have recently received an email from Csirt@westminster.ac.uk, advising you that your Westminster account had been linked to a high-profile data breach and that you should change the password not only on the breached account, but also on your Westminster account, especially if you use the same password across multiple accounts.

After any security or data breach, you should take the following action:

  • When you are made aware of a breach, then change your passwords straight away
  • Consider using a password manager to generate and store unique passwords for each online account
  • Never use the same password on different accounts
  • Never reuse your Westminster log in details for other external services

You can check to see if your own personal email accounts, as well as your Westminster ones, have been breached on https://haveibeenpwned.com/  ‘Pwned’, is a widely used slang term (with origins in online gaming) meaning to conquer, appropriate or gain ownership of.

Just enter an email address and it will tell you if it has been ‘pwned’ and where the information may have been taken from. If you have been ‘pwned’ you should be on your guard for any spam / phishing / malware emails directed at you and you should follow the actions above. If you haven’t already been a target for scammers, then any security expert will tell you, it’s only a matter of time.

Graeme Wolfe

Information and IT Security Officer

15/09/2017

Scheduled scamming

Posted on: 22 August 2017
By:
No Comments »
Filed under: Uncategorized

This month, Graeme Wolfe, Information and IT Security Officer, takes a further look at the cycle of scams and what all the scheduled topics have in common.

Each year, around this time, I return to the subject of regular scams. If you check my blogs from previous summers, see links attached here and here. You will see there are cycles in scammer’s schedules, for example summer and the new academic year will see appealing wording in subject lines, that will appeal to people at this time of year, such as flights, clearing, loans, car hire, password reset and grants. They have all been used as ‘hooks’ in the past by scammers, to try and get your information.

With this being the holiday season, scammers try to use words like flights, car hire and holidays in their messages, to fool people into either handing over their personal information or even scamming them out of their money.

Also with many students sorting their details out for the forthcoming year, messages with things relating to loans, grants and clearing applications can be used to try and get log in and banking details from both existing and prospective students.

Additionally, as many students receive their access details to University systems around this time of year and often these expire after one year, there are scam messages about renewing your password that do the rounds and they can get mixed up with a genuine message about changing your password. This is the genuine site for Westminster password self service any other links are likely to be a scam or phishing attempt.

Some of these scams are too obvious to be genuine. Titles such as ‘log in and apply for your £3k grant’ or ‘log in to find out about your 13% pay rise’ should automatically raise an alarm to everyone. But some of them are very clever and the details / sites look like they could be genuine. So please be cautious and if you are in any doubt, then check with the Service Desk to see if it is a known scam, or speak with the Security and Compliance Team, who are always happy to help and advise you in such matters.

Working on the following two principles should help to keep you ahead of the fraudsters.

  1. If it looks too good to be true, then it probably is.
  2. Mistaking a genuine message for a scam is nowhere near as bad as mistaking a scam for a genuine message.

Graeme Wolfe

Information and IT Security Officer

21/08/2017

Flash, a-ah, saviour of the universe – not for much longer

Posted on: 31 July 2017
By:
No Comments »
Filed under: Uncategorized

This month our Information and IT Security  officer, Graeme Wolfe, looks at the demise of Adobe Flash and the future of moving images on t’internet.

When I heard that Flash was going to be killed off in 2020, my first thought was for the 1980 movie and Brian Blessed shouting “Flash Gordon’s alive!”

But in reality it is far less entertaining than that. Adobe, the owners of Flash software have decided there will be no more updates and patches for this rather ‘buggy’ and insecure plug in, running in many browsers world-wide.

Until recently Flash ran in browsers, powering videos, games and other animations. But because it was used by so many people, it was a constant target for malware writers trying to get inside it to plant their own code for their own, nefarious, purposes.

It didn’t help that this wasn’t a very secure, or well written piece of software. So regular updates had to be issued out when a vulnerability was exposed.

Newer technologies have superseded Flash, such as HTML5, which is present in just about all modern browsers. Adobe have been slowly removing flash updates and support from other platforms for some time now.

Most ‘Smart’ TV’s will now no longer play Flash based internet video files and games. Android powered smartphones had the support removed around the same time, in 2012. Apple have never liked the product and it was not an option in the App Store. But it did provide a quick and simple way to show moving images in a web browser.

Flash – Gone, but not forgotten.

Graeme Wolfe

Information and IT Security Officer

31/07/2017

GDP aarrgh!

Posted on: 27 June 2017
By:
No Comments »
Filed under: Uncategorized

This month our Information and IT Security Officer, Graeme Wolfe, looks at the upcoming changes to Data Protection legislation, explains GDPR and considers the impact for our University.

ar131871428090698

InfoSec17, the annual Security exhibition and conference, returned to London in June, as with previous years there continues to be two constants.

The first being each event has seen more visitors, exhibitors, new products, presentations, workshops and ideas on display. Proving security is a continually growing market which should not be ignored and the issues around it will not disappear anytime soon.

The second is that there is often a theme that the exhibitors focus on, to use to promote their products. This year saw two themes given equal exposure, Ransomware and General Data Protection Regulation [GDPR].

If you have been following my recent blogs, or seen the news, then you will be aware of the recent high profile ransomware attacks on corporations around the world, including the NHS and most recently the password attack on Parliament. But you may not have heard about the introduction of GDPR, which will have a huge impact on how we all process, store and share data in the future.

Currently all organisations in the UK that handle sensitive personal data are bound by the Data Protection Act 1998 (DPA). But in less than a year [25 May 2018 to be precise], this will be replaced by the General Data Protection Regulation [GDPR], which will apply across the European Union, unifying data protection rules.

GDPR:

  • Places more responsibility on organisations, large and small, to ensure they handle personal data in a safe and secure manner.
  • Redefines what is personal data and the accountability and governance that must go along with its everyday use and storage.
  • Applies to both electronic and hard copy data, new and existing systems, as well as archived materials.
  • Defines new roles and responsibilities in organisations and will bring some big changes with it.

One of the big changes, is the level of fines that can be imposed for breaching the GDPR. Currently the maximum fine for breaching the DPA is £500,000, this is to be increased to a maximum of 20 Million Euros or 4% of global turnover. For small organisations that lose personal data, any fine can make a large impact on their budgets, however, the increases that have been put in place, will impact on large multinationals too, and ensure they also take notice of these rules.

The University of Westminster’s Compliance team have been working on getting us ready for GDPR for some time. There is still much work to be done, but speaking to visitors and exhibitors at InfoSec17, we appear to be ahead of many other organisations in this matter.

Graeme Wolfe

Information and IT Security Officer

26/06/17